Can the Active Directory userAccountControl attribute be mapped in Dirxml 1.1a, Identity Manager 2, or IDM 3

  • 7001154
  • 14-Aug-2008
  • 26-Apr-2012


Novell Identity Manager - Nsure Identity Manager 2.0
Novell Identity Manager 3.0
Novell Identity Manager 3.5
Novell Identity Manager 3.5.1
Novell Identity Manager DirXML 1.1a
Novell Active Directory Driver
Nsure Identity Manager 2.0
Novell DirXML 1.1a


Can the Active Directory userAccountControl attribute be mapped in Dirxml 1.1a or in the various versions of Identity Manager (from 2.0 to 3.6)


The Active Directory attribute userAccountControl is an Integer whose bits control logon account properties, such as whether logon is allowed, passwords are required, or the account is locked. Synchronizing the Boolean properties individually is problematic because each property is embedded in the Integer value.

DirXML 1.1a
Version 2 of the Active Directory driver took a shortcut that let you map userAccountControl the eDirectory Login Disabled attribute, but didn't let you map the other property bits within the attribute.

Nsure Identity Manager 2.0x
In version 3 of the Active Directory Driver, each bit within the userAccountControl attribute can be referenced individually as a Boolean value or userAccountControl can be managed in-total as an Integer. The driver recognizes a Boolean alias to each bit within userAccountControl.  These alias values are included in the schema for any class that includes userAccountControl. The alias values are accepted on the Subscriber channel and are presented on the Publisher channel.  The Active Directory 3.0 driver is only supported with Identity Manager 2.0. 
IDM 3.0 to 3.6
The Active Directory Driver documentation has information on syncing this attribute.  It will now pull in all the values and sets more of them directly.  Some customization is still necessary in order to map the attribute values in AD to an attribute value in eDirectory.

Additional Information

Formerly known as TID# 10092771